Hijacker help

Okay so I have a hijacker. I followed all the steps listed from Major Attitude. I then started to follow the steps posted by Chaslang. on my hijack this log...I don't have a R0 line and my R1 line looks nothing like what I'm supposed to be seaching for...Please help...I need my email for school work and I want to prove to my fiance that I can fix this studpid problem all by myself.

 

Please Help

If I post my log file... will someone please help me???

 

Re: Please Help

I've followed all the steps all I need is someone to look at my logfile and PLEASE help me...Thanks

 

Chaslang...Please help

I have followed all the steps from previous posts on how to remove spyware...I cannot check my email due to a hijacker...please help...

 

Re: Chaslang...Please help

ktatt you didn't provide any information...

if you expect to get your problem resolved, you need to provide Chaslang or BJGarrick with as much information as possible...

what OS are you running on, what's the name of the hijacker (or what website are you redirected to), what steps have you already tried, etc... be as descriptive as possible

 

Re: Chaslang...Please help

whenever I try to check my email...I am redirected to a search site that I have never heard of...I have tried every single step that Major attitude said to do...I had no problems...spyware was removed....I have windows XP...

 

Re: Please Help

ktatt33, I have merged your 3 threads together. Please be patient and stay in one thread...there are many, many users in here who need help so it takes time to answer everyone. Thank you

 

Still awaiting help...I have followed the steps that have posted before by Major attitude and still no fix...Please someone help me....I really need my email to finish some school work...Thanks

 

ktatt33,

I apologize for the delayed response. We are very busy here in the Spyware Forum. Lets start by getting a HJT log.

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

Here's my log...thanks

 

Are you familiar with the entry above?


Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn
O4 - HKLM\..\RunServices: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Remote Packet Capture (rempc) - Unknown owner - C:\WINDOWS\System32\MSDN.exe" -service (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above REBOOT, Scan with HijackThis and attach the new log.

 

Here's my know hijack this log...I followed your directions and the two for lines 04 did not get removed...Is this bad??? and no I'm not familiar with the line that you posted??? Do you think I should bring my computer to someone??? I'm really getting desperate...All I want is my email back...ughhhh I'm getting really frustrated....Thanks

 

Boot into Safe Mode! Once in Safe Mode scan with HJT and have it fix the below entries:

O4 - HKLM\..\Run: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn
O4 - HKLM\..\RunServices: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O17 - HKLM\System\CCS\Services\Tcpip\..\{AB61CD53-8DBD-4440-BCB0-776D1E3F7E2A}: NameServer = 204.60.203.179 66.73.20.40

O23 - Service: Remote Packet Capture (rempc) - Unknown owner - C:\WINDOWS\System32\MSDN.exe" -service (file missing)

Be sure you have ALL browsers closed before clicking FIX.

After you complete the above, reboot and post a fresh HJT log.

 

Ughhhh...I really am following all the directions you are posting...Do you know what's wrong???

 

Here's the newest log....I really am following the directions that you are providing me with...

 

Ummm how would I go about doing that???

 

Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Right Click on the folder RUN and select Export. Type in a filename to save it as, choose something like RUN.reg

Now, navigate to the following key and do the same as above, name this one Runservices.reg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

After you have exported both keys, you will need to compress them to a .zip file to upload them as attachments.

Download WinZip and install it. After you install it, select both registry files you have saved, select compress to (Desktop.zip) and then upload this file to your next post.

 

Here's what you asked for...Thanks

 

Download the attached .zip file. After download is complete, extract to your desktop and run both registry fixes. The files we as listed below.

Runfix.reg

runservicesfix.reg

Double click on both files, click YES to merge into the registry. After both files and been merged reboot and post a fresh HJT log.

 

Here's my new log...I don't think it worked because I still can't check my email...

 

Click Start > Run > type in regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Now on the folder RUN, right click and delete the entire folder. DO NOT REBOOT until you complete this entire fix.

Now Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Again, on the RunServices folder, right click and delete the entire folder!


After removing both folders, download the attached zip file. Extract both files to your desktop and merge both. Afterwards reboot and post a fresh HJT log.

 

Here's my new log....I think it worked...I'm able to check my email but I noticed that some of the lines that you had me delete before are still there...Am I fixed???

 

Reboot into Safe Mode and follow this fix word for word

Complete post #22 again, after you complete the fix in post 22, scan with HJT and have it fix the below entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKLM\..\Run: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn
O4 - HKLM\..\RunServices: [Ynfdn+[jh`n+Hj{~yn] FXOE%nsn

O17 - HKLM\System\CCS\Services\Tcpip\..\{AB61CD53-8DBD-4440-BCB0-776D1E3F7E2A}: NameServer = 204.60.203.179 66.73.20.40

O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe (file missing)
O23 - Service: Remote Packet Capture (rempc) - Unknown owner - C:\WINDOWS\System32\MSDN.exe" -service (file missing)

Be sure ALL browsers are closed before you click FIX!

NOW:
Navigate to and delete the following file:

C:\WINDOWS\System32\MSDN.exe

NOW:
Click Start > Run > type services.msc and Click OK

Locate Remote Packet Capture (rempc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

After you do the above, run CCleaner and then reboot into normal mode and attach a fresh HJT log.

 

Here is my new log... I went to fix both of line 4 but they were not present in the most recent log...Also when I went to stop the Remote Packet Capture, it was already stopped... I don't know what any of this means so I hope it is of some help to you...Again I can check my email and that's what I really needed to get accomplished....Am I still hijacked???

 

Your HJT log is now clean!

You must now surf in to Windows Updates and get updated! You need to install Service Pack 2 to prevent future infections.

Are you having any further problems?

 

I think I spoke too soon...I went to go check my email this morning and I was redirected to another search engine that I have never heard of....Oh such a tease...I thought I was fixed....here's the new log....

 

Download the following program:

Spy Sweeper 3.5.0.199

After you install, be sure you get all available updates! After you get the updates run a full sweep and remove all found infections.

Afterwards reboot and let me know how things are running.

 

Okay...I followed your directions from the above post...I downloaded the updates and everything...I removed a lot of adware and a trojan horse (???) It kept asking me if I wanted to restore my default internet explorer web page...It said it was set to about blank...I checked restore default web page... I hope that is correct...When I go onto internet explorer it keeps coming up as about blank...I try to go to Yahoo.com (that's my email) and it redirects to that weird search engine...I attached my new log...Thanks for helping me and putting up with me and this mess...

 

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After you complete the scan and remove the infections found reboot and post a fresh HJT log.

Also, make a note and let me know if anything was found or removed.

 

Here's the latest log...still can't check email...This is what was found and removed from my computer using TrojanHunter

Port Scan
Port 5180/TCP is open (matches Peeper.120. Port being used by process aim.exe/PID 1204

File Scan
Found Trojan C:\WINDOWS\System32\IR41_QC6.exe (Adware.IEDriver.101)
C:\WINDOWS\System32|MSRDO202.exe (Adware.Batmeter.100)


Hope this helps you help me...Thanks

 

Those 2 AB entries make me think of an old infection that has similiar syptoms. To rule this out procede with the below.


Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.bat and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the fix.bat file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop).

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Make sure All Browser Windows are Closed when you Click FIX.

After you complete the above, reboot and post a fresh HJT log.

 

Alrighty...I did what you said and when I double clicked on the fix.bat file this is what it said...

[SC] Openservice FAILED 1060:

The specified service does not exist as an installed service. Press any key to continue.....

Here is the new log...I don't know why those two files won't go away...

 

First, uninstall SpySweeper & TrojanHunter.

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{AB61CD53-8DBD-4440-BCB0-776D1E3F7E2A}: NameServer = 204.60.203.179 66.73.20.40

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner


Reboot to Normal Windows

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you have completed the above, Scan with HijackThis and attach the new log.

 

Here's the latest...no changes though I don't think...When I went to fix
017 - HKLM\System\CCS\Services\Tcip\..\{AB61CD53-8DBD-4440-BCB0-776D1E3F7E2A}:NameServer = 204.60.203.179 66.73.20.40
It was not there...

 

Before we do anything else, go to Windows Updates and install Service Pack 2. Afterwards come back and post a fresh HJT log.

Also, are you familiar and use MicroAntivirus?

 

Okay when I try to get to the Windows update site, I am redirected to the same weird search engine site...I have tried typing the web address, accesing it from other websites and I can't get to it...And yes I am a little familiar with microantivirus...I have it downloaded on my computer

 

Okay so somehow I got Service pack 2 installed on my computer so ignore the above post...here's the latest log file


P.S. Do you guys ever get a break???

 

Have HJT create a startup list.

Do this by running HJT, select the option "Open the Misc Tools section" and choose Generate StartupList log.

Attach this log to your next post.

 

Here you go.... Whatever I have on my computer has now started to not let me go to websites that I view frequently...I don't know if this important but I thought I'd let you know...

 

Please download DelDomains and unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

After you do this reboot and see if problem remains.

 

Right clicked installed...rebooted...still cannot check email...

 

Okay! This is most likely going to be a Software issue. If you like I can relocate this thread for you or you can post your problem in the Software Forum.

Let me know!

 

Please...I really appreciate all of your help...Thanks again...

 

Moved as per your request. Also, just to give the users in the Software Forum heads up of whats going on, drop a message briefing them on the problems your current having. If needed you will be sent back to the Spyware Forum.

Good Luck

 

I need help...I think I have a hijacker that maybe interfering with my software...I was sent here from the spyware guys to hopefully get some help from you guys...I have Microsoft XP...I have ran all sorts of spyware removal...regfix...I still cannot check my email...its getting worse because this weird search engine that pops up when I click the email tab is starting to come up when I go to some sites...Please help

 

This does not appear to be a Hijacker type problem, otherwise bjgarrick wouldn't have moved the thread here.

What program are you using to check your email?

What is the name of this 'weird' search engine that keeps popping up?

 

Just a few things to help all of us.

1. When did this start?

2. What exactly happens when you try to check email (outlook express, outlook, web-based)?

3. What does the "weird search engine" say, what's the name of it?

The more info the better.

Steve

 

1. This started May 18...

2. I have SBC Yahoo DSL. When I click on the email tab it automatically reroutes to this search engine...

3. The search engine does not have a title...

 

I use SBC Yahoo DSL

There is no title for this search engine...It just says search the web...